EP2486507A1 - Malware detection by application monitoring - Google Patents

Malware detection by application monitoring

Info

Publication number
EP2486507A1
EP2486507A1 EP10760980A EP10760980A EP2486507A1 EP 2486507 A1 EP2486507 A1 EP 2486507A1 EP 10760980 A EP10760980 A EP 10760980A EP 10760980 A EP10760980 A EP 10760980A EP 2486507 A1 EP2486507 A1 EP 2486507A1
Authority
EP
European Patent Office
Prior art keywords
application
file
behaviour
computer
unexpected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP10760980A
Other languages
German (de)
French (fr)
Other versions
EP2486507B1 (en
Inventor
Jarno NIEMELÄ
Pirkka PALOMÄKI
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WithSecure Oyj
Original Assignee
F Secure Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F Secure Oyj filed Critical F Secure Oyj
Publication of EP2486507A1 publication Critical patent/EP2486507A1/en
Application granted granted Critical
Publication of EP2486507B1 publication Critical patent/EP2486507B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present invention relates to a method of detecting potential malware by monitoring the behaviour of trusted applications.
  • Malware is short for "malicious software” and is a term used to refer to any software designed to infiltrate or damage a computer system without the owner's consent.
  • Malware includes computer viruses, worms, trojans, rootkits, adware, spyware and any other malicious and unwanted software.
  • malware most often in the form of a program or other executable code, the user may notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system crashes.
  • malware Even if a malware infection does not cause a perceptible change in the performance of a device, the malware may be performing other malicious functions such as mon itoring and stealing potentially valuable commercial or personal information, or hijacking a device so that it may be exploited for some illegitimate purpose.
  • Many end users make use of security and anti-virus software to detect and possibly remove malware.
  • An example application is F-SecureTM Internet Security produced by F-Secure Corp., Helsinki, Finland.
  • an anti-virus application In order to detect a malware file, an anti-virus application must have some way of identifying it from amongst all the other clean and trusted files present on a device.
  • the anti-virus software has a database containing "signatures” or “fingerprints” that are characteristic of individual malware files.
  • the provider of the anti-virus software identifies a new malware threat, the threat is analysed and a unique signature is generated.
  • the malware is then classed as "known” and its signature can be distributed to end users as updates to their local anti-virus application databases, typically by distribution over the Internet.
  • Anti-virus applications may also make use of a database containing signatures of trusted files.
  • These trusted files are those files published or authored by trusted sources. For example, those files that make up a piece of software distributed by a reputable software provider could be considered to be trustworthy such that, provided such files have not been modified since their publication/release, these files need not be scanned for malware. Only the suspected files need to be scanned.
  • Signature scanning is only one of the "weapons" available to providers of anti-virus applications.
  • another approach commonly used in parallel with signature scanning, is to use heuristics (that is rules) that describe suspicious behaviour, indicative of malware. This is particularly relevant to detect a "Zero-day" exploit, which has not yet been identified by the anti-virus providers and for which no virus signature has been generated and distributed.
  • Heuristics can be based on behaviours such as Application Programming Interface (API) calls, attempts to send data over the Internet, etc.
  • API Application Programming Interface
  • heuristics may be combined, e.g. if target has feature 1 and feature 2 then it is malicious, or thresholds set, e.g. if target has more than 10 features it is malicious, in order to reduce the risk of false alarms.
  • the buffer overflow attack is an attack in which malware causes an otherwise trusted application to write information into a buffer which exceeds the actual size of the buffer causing a buffer overflow. This may cause the programme to crash and, when the programme restarts, the attacker's code is executed instead of the program's valid process code. When executed, the attacker's code might, for example, open a communication channel to a malicious website from which further malware is downloaded and executed.
  • a signature may be generated and distributed to client devices.
  • this may not always be effective, e.g. in the case of so- called "polymorphic" viruses which are able to mutate whilst maintaining the basic malware algorithm intact.
  • Heuristic approaches remain significant for detecting such malware, and of course more importantly for detecting zero-day malware. Providers are continuously seeking to improve upon existing heuristic-based detection engines.
  • a method of detecting malware on a computer system comprises monitoring the behaviour of trusted applications running on the computer system.
  • the method identifies a file or files responsible for the unexpected behaviour(s). It may further tag the file(s) as malicious or suspicious.
  • An unexpected behaviour of the trusted application may comprise one of:
  • the method may comprise receiving at the computer system, from a central server, a list of trusted application and respective sets of unexpected behaviours. Said step of monitoring may comprise monitoring for the occurrence of the behaviours listed for the application.
  • the method may comprise terminating the application in the event that an unexpected behaviour of the application is detected.
  • the method may comprise identifying other files written by the application exhibiting the unexpected behaviour and tagging those files as malicious or suspicious.
  • Said step of tagging the file may comprise locking the file to prevent it from being accessed and/or copied.
  • the method may involve tracing any external connections made by the application exhibiting the unexpected behaviour and blocking subsequent attempts to establish connections to the same destination.
  • a computer comprising an application monitor for monitoring the behaviour of trusted applications running on the computer.
  • the application monitor identifies a file or files responsible for the unexpected behaviour. It may tag the file(s) as malicious or suspicious.
  • a computer program for causing a computer to perform the steps of:
  • the program may cause the identified file/s to be tagged as malicious or suspicious.
  • a computer storage medium having stored thereon instructions for causing a computer to:
  • the medium may have stored thereon instructions for causing the computed to tag the identified file(s) as malicious or suspicious.
  • Figure 1 illustrates schematically a computer system for detecting malware
  • Figure 2 is a flow diagram illustrating a process of detecting malware within the system of Figure 1 .
  • Malware detection is carried out in a client-server based computer architecture.
  • An anti-virus application runs on a multiplicity of client computers whilst a backend system runs on a server typically operated by the provider of the anti-virus application.
  • the backend system is distributed over a pool or "cloud" of servers in order to provide sufficient capacity.
  • the server stores all up to date data relating to malware detection and sends this to the client computers.
  • the malware detection data includes both virus signatures and heuristics.
  • the server is continuously updated with new virus signatures and heuristics for suspected files. This distribution architecture is known.
  • the server also stores heuristics for monitoring the behaviour of trusted applications such as Microsoft Word, Excel, Power Point, Acrobat Reader/Writer etc and which are distributed to client computers.
  • the anti-virus (AV) applications running in the client computers use these heuristics for malware detection.
  • these heuristics identify, for a given trusted application, certain unexpected and therefore suspicious behaviour which, if detected in the trusted application, point to the fact that the trusted application has been hijacked.
  • a "trusted application” in this context may be an application that is certified as trusted or "clean" by a provider of security software, e.g. an anti-virus application, either based on some certificate issued by the application provider or following an anti-virus scan of the application.
  • Other definitions of "trusted” may also be used.
  • a trusted application may be defined as such by a user who has created or installed an application on his or her own computer.
  • FIG. 1 a computer architecture which comprises a server 1 connected to an example client computer 3 via a network 2. It will be appreciated that a multiplicity of client computers are also able to connect to the server 1 via the network 2.
  • the network 2 is optionally the Internet or a LAN and the server 1 may belong to a pool of servers or to a server cloud.
  • the client computer 3 may be a desktop personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, or any other suitable computer system, and is configured to run a number of applications including a set of trusted applications 7 including, for example, applications of the Microsoft Office suite, Adobe Acrobat, web browsers, etc.
  • the client computer 3 is additionally provided with an anti-virus application 9 and appropriate hardware resources for running the application, which together provide an application update receiver 4, a signature and heuristic database 5, an application monitor 6, and a reporting unit 8.
  • the application update receiver 4 is used to receive signatures and heuristics from the server 1.
  • the virus signatures and heuristics are downloaded into the signature and heuristic database 5.
  • the application monitor 6 accesses the database 6 during an application monitoring process.
  • the reporting unit 8 is used for reporting a malware detection to the user and optionally to the AV application provider.
  • the server 1 stores heuristics for monitoring the behaviour of trusted applications.
  • the server stores, for each of a set of trusted applications, a list of unexpected behaviours which may include, for example, one or more of the following:
  • Dropping executable files For example, dropping executable code into the "c/windows" line.
  • Each application has certain branches or keys in the registry tree where they store their own settings, state information and/or other information which are critical for the operation of the application. For example, Adobe Acrobat writes only to its own registry branches (e.g. to HKEY_CLASSES_ROOT/acrobat). An unexpected behaviour of a trusted application may occur when it writes to registry branches associated with, for example, start-up information, firewall settings and other security settings.
  • Figure 2 is a flow diagram illustrating a procedure for scanning for malware at the client computer 3 using a trusted application behavioural monitoring approach.
  • the figures shows the following steps:
  • the process begins with the anti-virus application being launched immediately upon booting of the client computer, or upon demand by the user.
  • the application runs as a background process on the computer, and is substantially "invisible" to the user except in the event of malware detection.
  • the application monitor of the anti-virus application communicates with the signature and heuristic database to identify certain trusted applications which are at risk of being hijacked by malware. This list is downloaded into the signature and heuristic database from the server, and may be periodically updated.
  • the application monitor continuously checks to see when a trusted application is launched.
  • the anti-virus application requests a list of unexpected behaviours for the launched application from the server.
  • the application monitor monitors the behaviour of the launched trusted application, looking in particular for the occurrence of behaviours contained in the unexpected behaviours list. S7. In the event that an unexpected behaviour is detected at S6, the application monitor immediately terminates the currently running trusted application that is exhibiting the unexpected behaviour. For example, when the application monitor detects that Microsoft Word has started to read a mail history and/or browsing history, the application monitor terminates the Word application so as to prevent any further malicious activity. Other related processes may also be terminated , e.g. a web download.
  • the application monitor After terminating the trusted application, the application monitor traces the file(s) responsible for the unexpected behaviour and tags them as malicious. For example, when the application monitor recognises that Microsoft Word has been hijacked, the application monitor traces the .doc file responsible and tags it as malicious. It may also be desirable to similarly tag all files created and handled by the hijacked application. Tagging of a file may comprise adding the file identity and/or location to a list of suspected malware or corrupted files. Tagging of a file may comprise locking the file to prevent it from being opened, copied or transferred. The file(s) may also be deleted and or an attempt to repair it/them made. The application monitor may identify other related suspicious activities. For example, if a hijacked application has connected to an unknown server, the corresponding IP address may be identified (and subsequently blocked at a firewall).
  • the application monitor takes a snapshot of the memory associated with the exploited application.
  • the application monitor reports to the user that the application has been terminated due to detection of a potential malware attack.
  • the application monitor optionally reports to the anti-virus application provider via the Internet, providing details of the attack and identifying the malicious file(s) responsible, other affected files, and any related suspicious activities.
  • the background monitoring processes continue operating in the client computer.
  • the lists of unexpected behaviours of the trusted applications can be stored in a cache memory of the client computer, e.g. in the signature and heuristic database. In this way, the client computer does not have to connect to the server each time a trusted application is launched. Updates of the behaviour lists may be pushed to the client computer (or pulled to it) together with other signature and heuristics updates.
  • the content processed, viewed or displayed and which is responsible for hijacking a trusted application may be, for example, a document file (word document, PowerPoint or P D F), image fi le (J P EG), structu red content (HTM L or XM L) or movie fi le (AVI, MPEG, DVD).
  • a trusted application may be for example Microsoft Office software, PDF viewer, image viewer, web browser, movie player or similar application.
  • these file and application types are only examples and many other types will be apparent to the skilled person.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

A method of detecting malware on a computer system. The method comprises monitoring the behaviour of trusted applications running on the computer system and, in the event that unexpected behaviour of an application is detected, identifying a file or files responsible for the unexpected behaviour and tagging the file(s) as malicious or suspicious. The unexpected behaviour of the application may comprise, for example, dropping executable files, performing modifications to a registry branch which is not a registry branch of the application, reading a file type class which is not a file type class of the application, writing portable executable (PE) files, and crashing and re-starting of the application.

Description

MALWARE DETECTION BY APPLICATION MONITORING Technical Field The present invention relates to a method of detecting potential malware by monitoring the behaviour of trusted applications.
Background Malware is short for "malicious software" and is a term used to refer to any software designed to infiltrate or damage a computer system without the owner's consent. Malware includes computer viruses, worms, trojans, rootkits, adware, spyware and any other malicious and unwanted software. When a computer device is infected by malware, most often in the form of a program or other executable code, the user may notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system crashes. Even if a malware infection does not cause a perceptible change in the performance of a device, the malware may be performing other malicious functions such as mon itoring and stealing potentially valuable commercial or personal information, or hijacking a device so that it may be exploited for some illegitimate purpose. Many end users make use of security and anti-virus software to detect and possibly remove malware. An example application is F-Secure™ Internet Security produced by F-Secure Corp., Helsinki, Finland. In order to detect a malware file, an anti-virus application must have some way of identifying it from amongst all the other clean and trusted files present on a device. Typically, this requires that the anti-virus software has a database containing "signatures" or "fingerprints" that are characteristic of individual malware files. When the provider of the anti-virus software identifies a new malware threat, the threat is analysed and a unique signature is generated. The malware is then classed as "known" and its signature can be distributed to end users as updates to their local anti-virus application databases, typically by distribution over the Internet.
Anti-virus applications may also make use of a database containing signatures of trusted files. These trusted files are those files published or authored by trusted sources. For example, those files that make up a piece of software distributed by a reputable software provider could be considered to be trustworthy such that, provided such files have not been modified since their publication/release, these files need not be scanned for malware. Only the suspected files need to be scanned.
Signature scanning is only one of the "weapons" available to providers of anti-virus applications. For example, another approach, commonly used in parallel with signature scanning, is to use heuristics (that is rules) that describe suspicious behaviour, indicative of malware. This is particularly relevant to detect a "Zero-day" exploit, which has not yet been identified by the anti-virus providers and for which no virus signature has been generated and distributed. Heuristics can be based on behaviours such as Application Programming Interface (API) calls, attempts to send data over the Internet, etc. Typically, heuristics may be combined, e.g. if target has feature 1 and feature 2 then it is malicious, or thresholds set, e.g. if target has more than 10 features it is malicious, in order to reduce the risk of false alarms.
A particular problem is the ability of malware to hijack trusted applications such as Microsoft™ (MS) Office Suite, Adobe Acrobat Reader/Writer™, and web browsers. One of the ways to achieve this is the so-called "buffer overflow attack". The buffer overflow attack is an attack in which malware causes an otherwise trusted application to write information into a buffer which exceeds the actual size of the buffer causing a buffer overflow. This may cause the programme to crash and, when the programme restarts, the attacker's code is executed instead of the program's valid process code. When executed, the attacker's code might, for example, open a communication channel to a malicious website from which further malware is downloaded and executed.
Of course, once a particular piece of malware that hijacks trusted programmes has been identified by the anti-virus provider, a signature may be generated and distributed to client devices. However, this may not always be effective, e.g. in the case of so- called "polymorphic" viruses which are able to mutate whilst maintaining the basic malware algorithm intact. Heuristic approaches remain significant for detecting such malware, and of course more importantly for detecting zero-day malware. Providers are continuously seeking to improve upon existing heuristic-based detection engines.
Summary
It is an object of the present invention to detect potential malware by monitoring the behaviour of trusted applications to detect any unexpected behaviours.
According to a first aspect of the present invention there is provided a method of detecting malware on a computer system. The method comprises monitoring the behaviour of trusted applications running on the computer system. In the event that one or more unexpected behaviours of an application is/are detected, the method identifies a file or files responsible for the unexpected behaviour(s). It may further tag the file(s) as malicious or suspicious.
Whilst traditional heuristic approaches to malware detection monitor and detect the behaviour of untrusted files, the heuristic approach of the present invention looks at the behaviour of trusted applications. The present invention provides a further defence against malware attacks.
An unexpected behaviour of the trusted application may comprise one of:
dropping an executable file;
deleting executable files after execution;
performing modifications to a registry branch which is not a registry branch of the application;
reading or writing a file type class which is not a file type class normally associated with the application;
writing to a data file which is not a data file associated with the application; writing portable executable files;
crashing of the application followed by a re-start; disabling a security setting such as a firewall and/or disabling an anti-virus application;
reading mail files;
installing plugins to a web browser;
initiating a network download from an unidentified source.
The method may comprise receiving at the computer system, from a central server, a list of trusted application and respective sets of unexpected behaviours. Said step of monitoring may comprise monitoring for the occurrence of the behaviours listed for the application.
The method may comprise terminating the application in the event that an unexpected behaviour of the application is detected. The method may comprise identifying other files written by the application exhibiting the unexpected behaviour and tagging those files as malicious or suspicious. Said step of tagging the file may comprise locking the file to prevent it from being accessed and/or copied. The method may involve tracing any external connections made by the application exhibiting the unexpected behaviour and blocking subsequent attempts to establish connections to the same destination.
According to a second aspect of the present invention there is provided a computer comprising an application monitor for monitoring the behaviour of trusted applications running on the computer. In the event that unexpected behaviour of an application is detected, the application monitor identifies a file or files responsible for the unexpected behaviour. It may tag the file(s) as malicious or suspicious. According to a third aspect of the present invention , there is provided a computer program for causing a computer to perform the steps of:
monitoring the behaviour of trusted applications running on the computer;
detecting one or more unexpected behaviours of an application; and
identifying a file or files responsible for the unexpected behaviour(s). The program may cause the identified file/s to be tagged as malicious or suspicious.
According to a fourth aspect of the present invention, there is provided a computer storage medium having stored thereon instructions for causing a computer to:
monitor the behaviour of trusted applications running on the computer system; detect one or more unexpected behaviours of an application; and
identify a file or files responsible for the unexpected behaviour(s). The medium may have stored thereon instructions for causing the computed to tag the identified file(s) as malicious or suspicious.
Brief Description of the Drawings Figure 1 illustrates schematically a computer system for detecting malware; and
Figure 2 is a flow diagram illustrating a process of detecting malware within the system of Figure 1 .
Detailed Description
Malware detection is carried out in a client-server based computer architecture. An anti-virus application runs on a multiplicity of client computers whilst a backend system runs on a server typically operated by the provider of the anti-virus application. [Typically the backend system is distributed over a pool or "cloud" of servers in order to provide sufficient capacity.] The server stores all up to date data relating to malware detection and sends this to the client computers. The malware detection data includes both virus signatures and heuristics. The server is continuously updated with new virus signatures and heuristics for suspected files. This distribution architecture is known. In accordance with an embodiment of the present invention, the server also stores heuristics for monitoring the behaviour of trusted applications such as Microsoft Word, Excel, Power Point, Acrobat Reader/Writer etc and which are distributed to client computers. The anti-virus (AV) applications running in the client computers use these heuristics for malware detection. In particular, these heuristics identify, for a given trusted application, certain unexpected and therefore suspicious behaviour which, if detected in the trusted application, point to the fact that the trusted application has been hijacked. A "trusted application" in this context may be an application that is certified as trusted or "clean" by a provider of security software, e.g. an anti-virus application, either based on some certificate issued by the application provider or following an anti-virus scan of the application. Other definitions of "trusted" may also be used. For example, a trusted application may be defined as such by a user who has created or installed an application on his or her own computer.
There is illustrated in Figure 1 a computer architecture which comprises a server 1 connected to an example client computer 3 via a network 2. It will be appreciated that a multiplicity of client computers are also able to connect to the server 1 via the network 2. The network 2 is optionally the Internet or a LAN and the server 1 may belong to a pool of servers or to a server cloud. The client computer 3 may be a desktop personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, or any other suitable computer system, and is configured to run a number of applications including a set of trusted applications 7 including, for example, applications of the Microsoft Office suite, Adobe Acrobat, web browsers, etc. The client computer 3 is additionally provided with an anti-virus application 9 and appropriate hardware resources for running the application, which together provide an application update receiver 4, a signature and heuristic database 5, an application monitor 6, and a reporting unit 8.
The application update receiver 4 is used to receive signatures and heuristics from the server 1. The virus signatures and heuristics are downloaded into the signature and heuristic database 5. The application monitor 6 accesses the database 6 during an application monitoring process. The reporting unit 8 is used for reporting a malware detection to the user and optionally to the AV application provider.
As already mentioned above, the server 1 stores heuristics for monitoring the behaviour of trusted applications. In particular, the server stores, for each of a set of trusted applications, a list of unexpected behaviours which may include, for example, one or more of the following:
• Dropping executable files. For example, dropping executable code into the "c/windows" line.
• Dropping an executable file and deleting the file after execution.
· Suspicious behaviour by a file written by the trusted application.
• Downloading files or instructions from a server which is not a server associated with the application provider. For example, an Adobe Acrobat application establishes network connections to check for updates, but to a server other than to Adobe's own server.
· Modifying of a registry branch which is not a registry branch of the application.
Each application has certain branches or keys in the registry tree where they store their own settings, state information and/or other information which are critical for the operation of the application. For example, Adobe Acrobat writes only to its own registry branches (e.g. to HKEY_CLASSES_ROOT/acrobat). An unexpected behaviour of a trusted application may occur when it writes to registry branches associated with, for example, start-up information, firewall settings and other security settings.
• Modifying system security settings, such as disabling Windows firewall.
• Killing anti-virus applications or other security applications.
· Reading or writing a file type class which is not a file type class of the application. For example a ".doc" file should not cause Word to read from a ".ppt" file or to read Internet Explorer cache files or outlook address files.
• Crashing of an application immediately upon, or shortly after launching of an application by a first file, followed by a re-start in respect of a second, different file. Such behaviour may be used by malware to hide executable code contained in the first file.
• Installing plugins to Internet Explorer or other network browser.
Figure 2 is a flow diagram illustrating a procedure for scanning for malware at the client computer 3 using a trusted application behavioural monitoring approach. In particular, the figures shows the following steps:
S1 . The process begins with the anti-virus application being launched immediately upon booting of the client computer, or upon demand by the user. The application runs as a background process on the computer, and is substantially "invisible" to the user except in the event of malware detection.
52. The application monitor of the anti-virus application communicates with the signature and heuristic database to identify certain trusted applications which are at risk of being hijacked by malware. This list is downloaded into the signature and heuristic database from the server, and may be periodically updated.
53. The application monitor continuously checks to see when a trusted application is launched.
54. Once the launch of a trusted application is detected by the application monitor, the anti-virus application requests a list of unexpected behaviours for the launched application from the server.
S5 and 6. The application monitor monitors the behaviour of the launched trusted application, looking in particular for the occurrence of behaviours contained in the unexpected behaviours list. S7. In the event that an unexpected behaviour is detected at S6, the application monitor immediately terminates the currently running trusted application that is exhibiting the unexpected behaviour. For example, when the application monitor detects that Microsoft Word has started to read a mail history and/or browsing history, the application monitor terminates the Word application so as to prevent any further malicious activity. Other related processes may also be terminated , e.g. a web download.
S8. After terminating the trusted application, the application monitor traces the file(s) responsible for the unexpected behaviour and tags them as malicious. For example, when the application monitor recognises that Microsoft Word has been hijacked, the application monitor traces the .doc file responsible and tags it as malicious. It may also be desirable to similarly tag all files created and handled by the hijacked application. Tagging of a file may comprise adding the file identity and/or location to a list of suspected malware or corrupted files. Tagging of a file may comprise locking the file to prevent it from being opened, copied or transferred. The file(s) may also be deleted and or an attempt to repair it/them made. The application monitor may identify other related suspicious activities. For example, if a hijacked application has connected to an unknown server, the corresponding IP address may be identified (and subsequently blocked at a firewall).
S9. The application monitor takes a snapshot of the memory associated with the exploited application. S10. The application monitor reports to the user that the application has been terminated due to detection of a potential malware attack. The application monitor optionally reports to the anti-virus application provider via the Internet, providing details of the attack and identifying the malicious file(s) responsible, other affected files, and any related suspicious activities. The background monitoring processes continue operating in the client computer.
It will be appreciated that the lists of unexpected behaviours of the trusted applications can be stored in a cache memory of the client computer, e.g. in the signature and heuristic database. In this way, the client computer does not have to connect to the server each time a trusted application is launched. Updates of the behaviour lists may be pushed to the client computer (or pulled to it) together with other signature and heuristics updates.
It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention. For example, it will be appreciated that, rather than apply a list of unexpected behaviours to detect potential malware, i.e. a black list of behaviours, a list of expected behaviours or white list may be used. In this case, for a given trusted application, occurrence of a behaviour not on the whitelist may be considered "unexpected", resulting in termination of the application and tagging of the responsible file or files as malicious. Of course, both a black list and a white list may be used together, with other behaviours being considered suspicious rather than malicious. Black lists and white lists of behaviours are typically determined in a test environment operated by the ant-virus application provider, e.g. using clean applications running in a virtual system.
The content processed, viewed or displayed and which is responsible for hijacking a trusted application may be, for example, a document file (word document, PowerPoint or P D F), image fi le (J P EG), structu red content (HTM L or XM L) or movie fi le (AVI, MPEG, DVD). A trusted application may be for example Microsoft Office software, PDF viewer, image viewer, web browser, movie player or similar application. Of course, these file and application types are only examples and many other types will be apparent to the skilled person.

Claims

CLAIMS:
1 . A method of detecting malware on a computer system, the method comprising: monitoring the behaviour of trusted applications running on the computer system and, in the event that one or more unexpected behaviours of an application is detected, identifying a file or files responsible for the unexpected behaviour.
2. A method according to claim 1 , wherein an unexpected behaviour of the application comprises one of:
dropping an executable file;
deleting executable files after execution;
performing modifications to a registry branch which is not a registry branch of the application;
reading or writing a file type class which is not a file type class normally associated with the application;
writing to a data file which is not a data file associated with the application; writing portable executable files;
crashing of the application followed by a re-start;
disabling a security setting such as a firewall and/or disabling an anti-virus application;
reading mail files;
installing plugins to a web browser;
initiating a network download from an unidentified source.
3. A method according to claim 1 or 2, comprising receiving at the computer system, from a central server, a list of trusted application and respective sets of unexpected behaviours, said step of monitoring comprising monitoring for the occurrence of the behaviours listed for the application.
4. A method according to claim 1 , 2 or 3, comprising terminating the application in the event that an unexpected behaviour of the application is detected.
5. A method according to any preceding claim, comprising tagging the identified file(s) as malicious or suspicious.
6. A method according to claim 5 and comprising identifying other files written by the application exhibiting the unexpected behaviour and tagging those files as malicious or suspicious.
7. A method according to claim 5, said step of tagging the file comprising locking the file to prevent it from being accessed and/or copied.
8. A method according to any preceding claim, comprising tracing any external connections made by the application exhibiting the unexpected behaviour and blocking subsequent attempts to establish connections to the same destination.
9. A computer comprising an application monitor for monitoring the behaviour of trusted applications running on the computer and, in the event that unexpected behaviour of an application is detected, for identifying a file or files responsible for the unexpected behaviour.
10. A computer according to claim 9 , said application mon itor being further configured to tag the identified file(s) as malicious or suspicious
1 1 . A computer program for causing a computer to perform the steps of:
monitoring the behaviour of trusted applications running on the computer ;
detecting one or more unexpected behaviours of an application; and
identifying a file or files responsible for the unexpected behaviour(s).
12. A computer program according to claim 1 1 for causing a computer to perform the further step of tagging the identified file(s) as malicious or suspicious.
13. A computer storage medium having stored thereon instructions for causing a computer to:
monitor the behaviour of trusted applications running on the computer system; detect one or more unexpected behaviours of an application; and identify a file or files responsible for the unexpected behaviour(s).
14. A computer storage medium according to claim 13 having stored thereon instructions to cause a computer to tag the identified file(s) as malicious or suspicious.
EP10760980.2A 2009-10-07 2010-09-22 Malware detection by application monitoring Active EP2486507B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/587,521 US8590045B2 (en) 2009-10-07 2009-10-07 Malware detection by application monitoring
PCT/EP2010/063969 WO2011042304A1 (en) 2009-10-07 2010-09-22 Malware detection by application monitoring

Publications (2)

Publication Number Publication Date
EP2486507A1 true EP2486507A1 (en) 2012-08-15
EP2486507B1 EP2486507B1 (en) 2016-08-17

Family

ID=43066953

Family Applications (1)

Application Number Title Priority Date Filing Date
EP10760980.2A Active EP2486507B1 (en) 2009-10-07 2010-09-22 Malware detection by application monitoring

Country Status (3)

Country Link
US (1) US8590045B2 (en)
EP (1) EP2486507B1 (en)
WO (1) WO2011042304A1 (en)

Families Citing this family (89)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7139565B2 (en) 2002-01-08 2006-11-21 Seven Networks, Inc. Connection architecture for a mobile network
US8468126B2 (en) 2005-08-01 2013-06-18 Seven Networks, Inc. Publishing data in an information community
US7917468B2 (en) 2005-08-01 2011-03-29 Seven Networks, Inc. Linking of personal information management data
US8438633B1 (en) 2005-04-21 2013-05-07 Seven Networks, Inc. Flexible real-time inbox access
WO2006136660A1 (en) 2005-06-21 2006-12-28 Seven Networks International Oy Maintaining an ip connection in a mobile network
US7769395B2 (en) 2006-06-20 2010-08-03 Seven Networks, Inc. Location-based operations and messaging
US8805425B2 (en) 2007-06-01 2014-08-12 Seven Networks, Inc. Integrated messaging
US8364181B2 (en) 2007-12-10 2013-01-29 Seven Networks, Inc. Electronic-mail filtering for mobile devices
US9002828B2 (en) 2007-12-13 2015-04-07 Seven Networks, Inc. Predictive content delivery
US8862657B2 (en) 2008-01-25 2014-10-14 Seven Networks, Inc. Policy based content service
US20090193338A1 (en) 2008-01-28 2009-07-30 Trevor Fiatal Reducing network and battery consumption during content delivery and playback
US8787947B2 (en) 2008-06-18 2014-07-22 Seven Networks, Inc. Application discovery on mobile devices
US8078158B2 (en) 2008-06-26 2011-12-13 Seven Networks, Inc. Provisioning applications for a mobile device
US8909759B2 (en) 2008-10-10 2014-12-09 Seven Networks, Inc. Bandwidth measurement
US8850579B1 (en) * 2009-11-13 2014-09-30 SNS Soft LLC Application of nested behavioral rules for anti-malware processing
US20110225649A1 (en) * 2010-03-11 2011-09-15 International Business Machines Corporation Protecting Computer Systems From Malicious Software
US10095530B1 (en) * 2010-05-28 2018-10-09 Bromium, Inc. Transferring control of potentially malicious bit sets to secure micro-virtual machine
US9251282B2 (en) * 2010-06-21 2016-02-02 Rapid7 LLC Systems and methods for determining compliance of references in a website
US8838783B2 (en) 2010-07-26 2014-09-16 Seven Networks, Inc. Distributed caching for resource and mobile network traffic management
EP3407673B1 (en) 2010-07-26 2019-11-20 Seven Networks, LLC Mobile network traffic coordination across multiple applications
CN103078864B (en) 2010-08-18 2015-11-25 北京奇虎科技有限公司 A kind of Initiative Defense Ile repair method based on cloud security
US8903954B2 (en) 2010-11-22 2014-12-02 Seven Networks, Inc. Optimization of resource polling intervals to satisfy mobile device requests
WO2012060995A2 (en) 2010-11-01 2012-05-10 Michael Luna Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
US8484314B2 (en) 2010-11-01 2013-07-09 Seven Networks, Inc. Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
US8843153B2 (en) 2010-11-01 2014-09-23 Seven Networks, Inc. Mobile traffic categorization and policy for network use optimization while preserving user experience
WO2012071283A1 (en) 2010-11-22 2012-05-31 Michael Luna Aligning data transfer to optimize connections established for transmission over a wireless network
WO2012094675A2 (en) 2011-01-07 2012-07-12 Seven Networks, Inc. System and method for reduction of mobile network traffic used for domain name system (dns) queries
EP2700021A4 (en) 2011-04-19 2016-07-20 Seven Networks Llc Shared resource and virtual resource management in a networked environment
US8621075B2 (en) 2011-04-27 2013-12-31 Seven Metworks, Inc. Detecting and preserving state for satisfying application requests in a distributed proxy and cache system
GB2493473B (en) 2011-04-27 2013-06-19 Seven Networks Inc System and method for making requests on behalf of a mobile device based on atomic processes for mobile network traffic relief
US8042186B1 (en) * 2011-04-28 2011-10-18 Kaspersky Lab Zao System and method for detection of complex malware
US9152791B1 (en) * 2011-05-11 2015-10-06 Trend Micro Inc. Removal of fake anti-virus software
WO2013015994A1 (en) * 2011-07-27 2013-01-31 Seven Networks, Inc. Monitoring mobile application activities for malicious traffic on a mobile device
US20130097203A1 (en) * 2011-10-12 2013-04-18 Mcafee, Inc. System and method for providing threshold levels on privileged resource usage in a mobile network environment
US8934414B2 (en) 2011-12-06 2015-01-13 Seven Networks, Inc. Cellular or WiFi mobile traffic optimization based on public or private network destination
EP2789138B1 (en) 2011-12-06 2016-09-14 Seven Networks, LLC A mobile device and method to utilize the failover mechanisms for fault tolerance provided for mobile traffic management and network/device resource conservation
US9277443B2 (en) 2011-12-07 2016-03-01 Seven Networks, Llc Radio-awareness of mobile device for sending server-side control signals using a wireless network optimized transport protocol
GB2498064A (en) 2011-12-07 2013-07-03 Seven Networks Inc Distributed content caching mechanism using a network operator proxy
EP2792188B1 (en) 2011-12-14 2019-03-20 Seven Networks, LLC Mobile network reporting and usage analytics system and method using aggregation of data in a distributed traffic optimization system
US8909202B2 (en) 2012-01-05 2014-12-09 Seven Networks, Inc. Detection and management of user interactions with foreground applications on a mobile device in distributed caching
WO2013116856A1 (en) 2012-02-02 2013-08-08 Seven Networks, Inc. Dynamic categorization of applications for network access in a mobile network
US9326189B2 (en) 2012-02-03 2016-04-26 Seven Networks, Llc User as an end point for profiling and optimizing the delivery of content and data in a wireless network
US20130239214A1 (en) * 2012-03-06 2013-09-12 Trusteer Ltd. Method for detecting and removing malware
US8281399B1 (en) 2012-03-28 2012-10-02 Symantec Corporation Systems and methods for using property tables to perform non-iterative malware scans
US8812695B2 (en) 2012-04-09 2014-08-19 Seven Networks, Inc. Method and system for management of a virtual network connection without heartbeat messages
WO2013155208A1 (en) 2012-04-10 2013-10-17 Seven Networks, Inc. Intelligent customer service/call center services enhanced using real-time and historical mobile application and traffic-related statistics collected by a distributed caching system in a mobile network
US9152784B2 (en) 2012-04-18 2015-10-06 Mcafee, Inc. Detection and prevention of installation of malicious mobile applications
US9313211B1 (en) * 2012-04-18 2016-04-12 Symantec Corporation Systems and methods to protect against a vulnerability event
WO2014011216A1 (en) 2012-07-13 2014-01-16 Seven Networks, Inc. Dynamic bandwidth adjustment for browsing or streaming activity in a wireless network based on prediction of user behavior when interacting with mobile applications
US11126720B2 (en) 2012-09-26 2021-09-21 Bluvector, Inc. System and method for automated machine-learning, zero-day malware detection
US9292688B2 (en) * 2012-09-26 2016-03-22 Northrop Grumman Systems Corporation System and method for automated machine-learning, zero-day malware detection
US9161258B2 (en) 2012-10-24 2015-10-13 Seven Networks, Llc Optimized and selective management of policy deployment to mobile clients in a congested network to prevent further aggravation of network congestion
US9307493B2 (en) 2012-12-20 2016-04-05 Seven Networks, Llc Systems and methods for application management of mobile device radio state promotion and demotion
TWI474213B (en) * 2013-01-09 2015-02-21 Hope Bay Technologies Inc Cloud system for threat protection and protection method using for the same
US9241314B2 (en) 2013-01-23 2016-01-19 Seven Networks, Llc Mobile device with application or context aware fast dormancy
US8874761B2 (en) 2013-01-25 2014-10-28 Seven Networks, Inc. Signaling optimization in a wireless network for traffic utilizing proprietary and non-proprietary protocols
US8750123B1 (en) 2013-03-11 2014-06-10 Seven Networks, Inc. Mobile device equipped with mobile network congestion recognition to make intelligent decisions regarding connecting to an operator network
US9065765B2 (en) 2013-07-22 2015-06-23 Seven Networks, Inc. Proxy server associated with a mobile carrier for enhancing mobile traffic management in a mobile network
US9961133B2 (en) 2013-11-04 2018-05-01 The Johns Hopkins University Method and apparatus for remote application monitoring
US10567398B2 (en) 2013-11-04 2020-02-18 The Johns Hopkins University Method and apparatus for remote malware monitoring
RU2571723C2 (en) 2013-12-05 2015-12-20 Закрытое акционерное общество "Лаборатория Касперского" System and method of reducing load on operating system when executing antivirus application
US9171154B2 (en) * 2014-02-12 2015-10-27 Symantec Corporation Systems and methods for scanning packed programs in response to detecting suspicious behaviors
US9690928B2 (en) * 2014-10-25 2017-06-27 Mcafee, Inc. Computing platform security methods and apparatus
US10073972B2 (en) 2014-10-25 2018-09-11 Mcafee, Llc Computing platform security methods and apparatus
US9584532B2 (en) * 2014-10-31 2017-02-28 Ncr Corporation Enterprise intrusion detection and remediation
JP6916112B2 (en) 2014-11-21 2021-08-11 ブルヴェクター, インコーポレーテッドBluvector, Inc. Network data characterization system and method
RU2595511C2 (en) * 2014-12-05 2016-08-27 Закрытое акционерное общество "Лаборатория Касперского" System and method of trusted applications operation in the presence of suspicious applications
US9690606B1 (en) 2015-03-25 2017-06-27 Fireeye, Inc. Selective system call monitoring
US9654496B1 (en) * 2015-03-31 2017-05-16 Juniper Networks, Inc. Obtaining suspect objects based on detecting suspicious activity
RU2589862C1 (en) 2015-06-30 2016-07-10 Закрытое акционерное общество "Лаборатория Касперского" Method of detecting malicious code in random-access memory
US10089465B2 (en) 2015-07-24 2018-10-02 Bitdefender IPR Management Ltd. Systems and methods for tracking malicious behavior across multiple software entities
KR20170070694A (en) * 2015-12-14 2017-06-22 삼성전자주식회사 Electronic device and operating method for the same
US10984103B2 (en) 2016-01-26 2021-04-20 Hewlett Packard Enterprise Development Lp Malware detection
GB2547272B (en) * 2016-02-15 2020-07-15 F Secure Corp Improving security of computer resources
EP3440818B1 (en) * 2016-04-06 2022-06-22 Karamba Security Reporting and processing controller security information
WO2017175157A1 (en) 2016-04-06 2017-10-12 Karamba Security Secure controller operation and malware prevention
EP3440817B1 (en) 2016-04-06 2022-06-22 Karamba Security Automated security policy generation for controllers
WO2017175160A1 (en) 2016-04-06 2017-10-12 Karamba Security Centralized controller management and anomaly detection
US10621333B2 (en) * 2016-08-08 2020-04-14 International Business Machines Corporation Install-time security analysis of mobile applications
US10733301B2 (en) 2016-08-24 2020-08-04 Microsoft Technology Licensing, Llc Computing device protection based on device attributes and device risk factor
EP3539043B1 (en) * 2016-11-09 2021-11-03 Dev/Con Detect, Inc. Digital auditing system and method for detecting unauthorized activities on websites
US10121003B1 (en) * 2016-12-20 2018-11-06 Amazon Technologies, Inc. Detection of malware, such as ransomware
US10878103B2 (en) 2017-06-05 2020-12-29 Karamba Security Ltd. In-memory protection for controller security
US10204219B2 (en) 2017-06-05 2019-02-12 Karamba Security In-memory protection for controller security
GB201709812D0 (en) * 2017-06-20 2017-08-02 Ibm Identification of software components based on filtering of corresponding events
US10764134B2 (en) * 2018-06-22 2020-09-01 Blackberry Limited Configuring a firewall system in a vehicle network
US11163633B2 (en) 2019-04-24 2021-11-02 Bank Of America Corporation Application fault detection and forecasting
CN115033139B (en) * 2021-03-04 2024-02-27 合肥杰发科技有限公司 Method and related device for starting application program interface
GB2626375A (en) * 2023-01-23 2024-07-24 Withsecure Corp An arrangement and a method of threat detection in a computing device or a computer network

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6609199B1 (en) * 1998-10-26 2003-08-19 Microsoft Corporation Method and apparatus for authenticating an open system application to a portable IC device
US7313822B2 (en) * 2001-03-16 2007-12-25 Protegrity Corporation Application-layer security method and system
US7295516B1 (en) * 2001-11-13 2007-11-13 Verizon Services Corp. Early traffic regulation techniques to protect against network flooding
US20030149887A1 (en) * 2002-02-01 2003-08-07 Satyendra Yadav Application-specific network intrusion detection
US7231667B2 (en) * 2003-05-29 2007-06-12 Computer Associates Think, Inc. System and method for computer virus detection utilizing heuristic analysis
US7464158B2 (en) * 2003-10-15 2008-12-09 International Business Machines Corporation Secure initialization of intrusion detection system
US7594272B1 (en) 2004-10-05 2009-09-22 Symantec Corporation Detecting malicious software through file group behavior
IL173472A (en) 2006-01-31 2010-11-30 Deutsche Telekom Ag Architecture for identifying electronic threat patterns
US8171554B2 (en) * 2008-02-04 2012-05-01 Yuval Elovici System that provides early detection, alert, and response to electronic threats
GB2461870B (en) * 2008-07-14 2012-02-29 F Secure Oyj Malware detection
US8935789B2 (en) * 2008-07-21 2015-01-13 Jayant Shukla Fixing computer files infected by virus and other malware

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2011042304A1 *

Also Published As

Publication number Publication date
EP2486507B1 (en) 2016-08-17
WO2011042304A1 (en) 2011-04-14
US8590045B2 (en) 2013-11-19
US20110083186A1 (en) 2011-04-07

Similar Documents

Publication Publication Date Title
US8590045B2 (en) Malware detection by application monitoring
US10599841B2 (en) System and method for reverse command shell detection
US10691792B2 (en) System and method for process hollowing detection
CN109684832B (en) System and method for detecting malicious files
RU2531861C1 (en) System and method of assessment of harmfullness of code executed in addressing space of confidential process
RU2646352C2 (en) Systems and methods for using a reputation indicator to facilitate malware scanning
US7530106B1 (en) System and method for security rating of computer processes
US8381298B2 (en) Malware detention for suspected malware
US7836504B2 (en) On-access scan of memory for malware
US8918878B2 (en) Restoration of file damage caused by malware
US8719924B1 (en) Method and apparatus for detecting harmful software
US7934261B1 (en) On-demand cleanup system
US9147073B2 (en) System and method for automatic generation of heuristic algorithms for malicious object identification
US20080016339A1 (en) Application Sandbox to Detect, Remove, and Prevent Malware
EP1760620A2 (en) Methods and Systems for Detection of Forged Computer Files
US20090199297A1 (en) Thread scanning and patching to disable injected malware threats
US20130227691A1 (en) Detecting Malicious Network Content
KR20090023644A (en) Identifying malware in a boot environment
Min et al. Antivirus security: naked during updates
US9275231B1 (en) Method and apparatus for securing a computer using an optimal configuration for security software based on user behavior
US8726377B2 (en) Malware determination
US7840958B1 (en) Preventing spyware installation
Kaur Network Security: Anti-virus.

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20120426

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20141117

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602010035630

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: G06F0021000000

Ipc: G06F0021560000

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/57 20130101ALI20160318BHEP

Ipc: G06F 21/56 20130101AFI20160318BHEP

INTG Intention to grant announced

Effective date: 20160413

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 821692

Country of ref document: AT

Kind code of ref document: T

Effective date: 20160915

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602010035630

Country of ref document: DE

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20160817

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 821692

Country of ref document: AT

Kind code of ref document: T

Effective date: 20160817

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20161117

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160930

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20161219

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20161118

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602010035630

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20161117

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20170531

26N No opposition filed

Effective date: 20170518

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20161017

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160922

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160930

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160930

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160922

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20100922

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20160930

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20160817

REG Reference to a national code

Ref country code: DE

Ref legal event code: R081

Ref document number: 602010035630

Country of ref document: DE

Owner name: WITHSECURE CORPORATION, FI

Free format text: FORMER OWNER: F-SECURE CORP., HELSINKI, FI

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20240919

Year of fee payment: 15

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20240918

Year of fee payment: 15